Privacy policy.

justenv is built so we cannot read your secrets. The cryptographic details are on the Security page.

This policy explains the thin layer of data we do touch:

• Your account email, so you can sign in and we can email you receipts.
• Your plan and billing status (Stripe handles the card; we never see it).
• Anonymous, aggregated usage events about which screens load and how fast.

The Mac app encrypts your vault locally with AES-256-GCM using a key derived from your master password (PBKDF2-HMAC-SHA256, 210,000 iterations). The vault lives at ~/Library/Application Support/JustEnv/vault.json as ciphertext only.

If you opt into team sync Roadmap the only things that ever reach our servers are the encrypted blob and minimal metadata: project name, environment label (e.g. production), and timestamps. Values stay encrypted.

• Account. Email address used to sign in. Optional display name.
• Billing. Stripe customer ID, plan, and subscription status. Stripe handles card data — we never receive or store card numbers.
• Product analytics. Page views, button clicks, error traces. We use Vercel Analytics, which is privacy-friendly, cookieless, and uses no persistent user identifier.
• Support correspondence. If you email us, we keep that thread to follow up.

• The values of your secrets (we only ever see ciphertext).
• The contents of your .env files at rest on your Mac.
• Your terminal history, shell sessions, or anything outside the app.
• Cross-site browsing data — we run no third-party trackers.
• Your IP address in product analytics events (Vercel truncates it server-side).

• Account email & plan: for as long as you have an account, plus 30 days after closure for fiscal compliance.
• Aggregated analytics: 90 days, then deleted.
• Error logs: 30 days, with values redacted.
• Team workspaces Roadmap — ciphertext blobs are kept until the workspace owner deletes them. Hard-delete is permanent within 30 days.

We use the following providers to run justenv:

• Stripe — payment processing.
• Resend — transactional email (magic links, receipts).
• Vercel — hosting and product analytics.
• MongoDB Atlas — ciphertext storage for team sync. Roadmap

We have signed data-processing agreements with each of them. If we add a new sub-processor, we update this list at least 30 days before they begin handling your data.

Under Mexican law (LFPDPPP) and equivalent regimes like GDPR, you have the right to:

• Access the data we hold about you.
• Export it in a portable format.
• Correct anything inaccurate.
• Delete it entirely.
• Withdraw consent for analytics.

To exercise any of these, email privacy@justenv.app. We respond within 20 business days, usually much faster.

justenv.app sets a single first-party cookie to remember whether you are signed in. No cross-site trackers. No advertising pixels. Vercel Analytics works without any cookie at all.

justenv is for developers, not for children. We do not knowingly accept accounts from anyone under 13. If you believe a minor has created an account, email privacy@justenv.app and we will delete it.

When we change this policy, we bump the version at the top and update the effective date. For material changes, we email account holders and show an in-app banner at least 14 days before the new version takes effect.

Privacy questions or rights requests: privacy@justenv.app.
General support: elfora.dev@gmail.com.